b'Systems Evaluation of the Fees Systems\n\n\n OIG-04-A-23     September 30, 2004\n\n\n\n REDACTED FOR PUBLIC RELEASE\n\x0c                        OFFICE OF\n                 THE INSPECTOR GENERAL\n                       U.S. NUCLEAR\n                 REGULATORY COMMISSION\n\n\n\n\n                          Systems Evaluation of the\n                               Fee Systems\n\n                     OIG\xe2\x80\x9304-A-23 September 30, 2004\n\n\n\n\n              EVALUATION REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                            September 30, 2004\n\n\n\n\nMEMORANDUM TO:               Luis A. Reyes\n                             Executive Director for Operations\n\n                             Jesse L. Funches\n                             Chief Financial Officer\n\n\nFROM:                        Stephen D. Dingbaum/RA/\n                             Assistant Inspector General for Audits\n\n\nSUBJECT:                     SYSTEM EVALUATION OF THE FEE SYSTEMS\n                             (OIG-04-A-23)\n\nThis evaluation was conducted as part of the Office of the Inspector General\xe2\x80\x99s review of\nNRC\xe2\x80\x99s implementation of the Federal Information Security Management Act (FISMA) for\nFY 2004. Richard S. Carson & Associates, Inc., performed this independent system\nevaluation on behalf of OIG.\n\nBased on its review and evaluation of the Fee Systems\xe2\x80\x99 management, operational, and\ntechnical controls, Richard S. Carson & Associates, Inc., determined that the Fee\nSystems has the following weaknesses:\n\n   \xc3\x98 Security documentation does not always follow required guidelines.\n   \xc3\x98 NRC is not tracking all action items resulting from testing the security controls.\n\nThe weaknesses identified are not significant deficiencies or reportable conditions.\nDuring an exit conference on September 14, 2004, NRC officials provided comments\nconcerning the draft audit report.and opted not to submit formal written comments to this\nreport.\n\nIf you have any questions or wish to discuss this report, please call me at 415-5915 or\nBeth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution List\n\nB. John Garrick, Chairman, Advisory Committee on Nuclear Waste\nMario V. Bonaca, Chairman, Advisory Committee on Reactor Safeguards\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nDennis K. Rathbun, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nPatricia G. Norry, Deputy Executive Director for Management Services, OEDO\nWilliam F. Kane, Deputy Executive Director for Homeland Protection\n  and Preparedness, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research\n  and State Programs, OEDO\nEllis W. Merschoff, Deputy Executive Director for Reactor Programs, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nJacqueline E. Silber, Chief Information Officer\nMichael L. Springer, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nPaul E. Bird, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\nOffice of Public Affairs, Region I\nOffice of Public Affairs, Region II\nOffice of Public Affairs, Region IV\n\x0c                                \xe2\x80\x9cOffice of the Inspector General\n                                   System Evaluation of the\n                                         Fee Systems\xe2\x80\x9d\n\n\n\n\n                          Contract Number: GS-00F-0001N\n                        Delivery Order Number: DR-36-03-346\n\n                                              September 24, 2004\n\n\n\n\n\xe2\x80\x9cThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official U.S. Nuclear\n              Regulatory Commission position, policy, or decision, unless so designated by other official documentation.\xe2\x80\x9d\n\x0c[Page intentionally left blank]\n\x0c                                                                                System Evaluation of the Fee Systems\n\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n        On December 17, 2002, the President signed the E-Government Act of 2002 (Public Law\n        107-347), which includes the Federal Information Security Management Act (FISMA) of\n        2002. FISMA outlines the information security management requirements for agencies,\n        which include an independent evaluation of an agency\xe2\x80\x99s information security program\n        and practices, and an evaluation of the effectiveness of information security control\n        techniques. FISMA also requires an assessment of compliance with requirements and\n        related information security policies, procedures, standards, and guidelines. As part of\n        the Fiscal Year 2004 FISMA independent evaluation of the U.S. Nuclear Regulatory\n        Commission\xe2\x80\x99s (NRC) information technology security program, Richard S. Carson\n        Associates, Inc. (Carson Associates) reviewed security controls for the Fee Systems1.\n\n        NRC is required to recover a major portion of its annual budget, and in order to\n        implement this requirement NRC assesses fees in compliance with Federal law and NRC\n        regulations. The primary function of the Fee Systems is to generate invoices to licensees\n        for annual fees and fees for various services, including new licensing approvals, licensing\n        amendments, topical reports, and inspections. Additional functionality includes the\n        tracking of new small-materials licensing application fee payments.\n\nPURPOSE\n\n        The system evaluation objectives were to review and evaluate the management,\n        operational, and technical controls for the Fee Systems.\n\nRESULTS IN BRIEF\n\n        Carson Associates reviewed the Fee Systems security documentation and found that the\n        Fee Systems security documentation is not always consistent with National Institute of\n        Standards and Technology (NIST) guidelines, and findings and recommendations\n        resulting from testing are not consistently being tracked. None of these weaknesses are\n        considered to be significant deficiencies or reportable conditions as defined in Office of\n        Management and Budget guidance.\n\n        Security Documentation Is Not Always Consistent With NIST Guidelines\n\n        FISMA directs the Secretary of Commerce, on the basis of standards and guidelines\n        developed by NIST, to prescribe standards and guidelines pertaining to Federal\n        information systems. NIST has developed several guidelines and standards, including\n        those for conducting risk assessments, developing security plans, and contingency plans.\n\n1\n  NRC uses the term \xe2\x80\x9cFee Systems\xe2\x80\x9d to refer to a group of applications that support the collection of fees from\nlicensees. The group of applications is considered one system for the purposes of FISMA reporting. The term\n\xe2\x80\x9csystem\xe2\x80\x9d may be used throughout this report to refer to the \xe2\x80\x9cFee Systems.\xe2\x80\x9d\n\n\n                                                          i\n\x0c                                                                System Evaluation of the Fee Systems\n\n\n\n     NRC Management Directive (MD) 12.5, NRC Automated Information Security Program,\n     which was revised in September 2003, states that NRC shall comply with NIST guidance\n     to include guidance related to the preparation of security documentation (such as system\n     security plans, risk assessments, and contingency plans), and other applicable NIST\n     guidance for information technology security processes, procedures, and testing.\n\n     The previous version of MD 12.5 did not require compliance with NIST guidelines,\n     however, Office of Management and Budget (OMB) Circular A-130, Management of\n     Federal Information Resources, Appendix III, Security of Federal Automated\n     Information Resources, states that each agency\xe2\x80\x99s program shall implement policies,\n     standards and procedures which are consistent with government-wide policies, standards,\n     and procedures issued by the Office of Management and Budget, the Department of\n     Commerce, the General Services Administration and the Office of Personnel\n     Management. OMB periodically reminds agencies that agency security practices should\n     be consistent with NIST guidance. The FY 2004 FISMA guidance issued by OMB\n     specifically states that agencies must follow NIST standards and guidance. Use of NIST\n     guidance is flexible, provided agency implementation is consistent with the principles\n     and processes outlined within the NIST guidance.\n\n     Carson Associates reviewed the Fee Systems Risk Assessment, Security Plan, and\n     Business Continuity Plan and found that while the documentation is up-to-date, it is not\n     always consistent with NIST guidelines.\n\n     Findings and Recommendations Resulting From Testing Are Not Consistently\n     Being Tracked\n\n     The FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program\n     found that not all corrective actions resulting from security reviews and testing were\n     being tracked and that the agency\xe2\x80\x99s corrective action process needed improvement. The\n     Office of the Inspector General (OIG) recommended that the agency identify all\n     weaknesses and recommendations from security documentation and any other security\n     reviews, and determine in which tool the recommendations will be tracked. In November\n     2003, the Office of the Chief Information Officer (OCIO) issued a memo describing the\n     agency\xe2\x80\x99s information technology security action item tracking process, strategy, and\n     tools. Carson Associates found that findings and recommendations resulting from testing\n     of the Fee Systems security controls are not consistently being tracked.\n\nRECOMMENDATIONS\n\n     This report makes four recommendations to the Chief Financial Officer and two\n     recommendations to the Executive Director for Operations to strengthen management,\n     operational, and technical controls for the Fee Systems. A consolidated list of\n     recommendations appears on page 11 of this report.\n\n\n\n\n                                              ii\n\x0c                                                             System Evaluation of the Fee Systems\n\n\n\nAGENCY COMMENTS\n\n     On September 14, 2004, the Executive Director for Operations and the Chief Financial\n     Officer provided comments concerning the draft system evaluation report. We modified\n     the report as we determined appropriate in response to these comments.\n\n\n\n\n                                           iii\n\x0c                                  System Evaluation of the Fee Systems\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                         System Evaluation of the Fee Systems\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nBCP      Business Continuity Plan\nFIPS     Federal Information Processing Standards\nFISMA    Federal Information Security Management Act\nFY       Fiscal Year\nGISRA    Government Information Security Reform Act\nITSSTS   Information Technology Systems Security Tracking System\nMD       Management Directive\nNIST     National Institute of Standards and Technology\nNRC      U.S. Nuclear Regulatory Commission\nOCFO     Office of the Chief Financial Officer\nOCIO     Office of the Chief Information Officer\nOIG      Office of the Inspector General\nOMB      Office of Management and Budget\nPOA&M    Plan of Action and Milestones\nSP       Special Publication\n\n\n\n\n                                       v\n\x0c                                  System Evaluation of the Fee Systems\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                                  System Evaluation of the Fee Systems\n\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose..................................................................................................................... 2\n\n3 Findings .................................................................................................................... 3\n    3.1     Security Documentation Is Not Always Consistent With NIST Guidelines....................3\n    3.2     Findings and Recommendations Resulting From Testing Are Not Consistently Being\n            Tracked.............................................................................................................................9\n4 Consolidated List of Recommendations.............................................................. 11\n\n5 OIG Response to Agency Comments................................................................... 13\n\n\nAppendices\n\n    Appendix A: Scope and Methodology ..................................................................................14\n\n\n\n\n                                                                     vii\n\x0c                                  System Evaluation of the Fee Systems\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              viii\n\x0c                                                                                  System Evaluation of the Fee Systems\n\n\n\n1        Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002 (Public Law 107-\n347), which includes the Federal Information Security Management Act (FISMA) of 20022.\nFISMA outlines the information security management requirements for agencies, which include\nan independent evaluation of an agency\xe2\x80\x99s information security program and practices, and an\nevaluation of the effectiveness of information security control techniques. FISMA also requires\nan assessment of compliance with requirements and related information security policies,\nprocedures, standards, and guidelines. As part of the Fiscal Year 2004 FISMA independent\nevaluation of the U.S. Nuclear Regulatory Commission\xe2\x80\x99s (NRC) information technology security\nprogram, Richard S. Carson Associates, Inc. (Carson Associates) reviewed security controls for\nthe Fee Systems.\n\nThe Fee Systems\n\nNRC is required to recover a major portion of its annual budget, and in order to implement this\nrequirement, NRC assesses fees in compliance with the Omnibus Budget Reconciliation Act of\n1990, as amended, and the Independent Offices Appropriation Act of 1952. Fees are recovered\nas established in 10 CFR Part 170 and 10 CFR Part 171 of NRC regulations. The Office of the\nChief Financial Officer (OCFO), Division of Financial Management, License Fee Team\nadministers some components of the License Fee Management Program through use of\nautomated processes. The Fee Systems is a term used to refer to a group of applications that\nshare data from various sources throughout NRC. The group of applications is considered one\nsystem for the purposes of FISMA reporting. The term \xe2\x80\x9csystem\xe2\x80\x9d may be used throughout this\nreport to refer to the \xe2\x80\x9cFee Systems.\xe2\x80\x9d\n\nThe primary function of these applications is to generate invoices to licensees for annual fees and\nfees for various services, including new licensing approvals, licensing amendments, topical\nreports, and inspections. Additional functionality includes the tracking of new small-materials\nlicensing application fee payments. Two of the Fee Systems applications reside on a mainframe\nlocated at the National Institutes of Health (NIH). The remaining applications reside on the NRC\nlocal area network.\n\nThe NRC OCFO is system owner of the Fee Systems. The Fee Systems have been categorized\nas a Major Application3 and are in the operational4 phase of the system life cycle.\n\n\n\n\n2\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\nGovernment Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\nwhich expired in November 2002.\n3\n  An application that requires special attention to security due to the risk and magnitude of harm resulting from the\nloss, misuse, or unauthorized access to or modification of the information in the application.\n4\n  A system\xe2\x80\x99s life cycle typically comprises five phases: initiation, development/acquisition, implementation,\noperation/maintenance, and disposal. In the operation/maintenance phase, systems are in place and operating,\nenhancements and/or modifications to the system are developed and tested, and hardware and/or software is added\nor replaced.\n\n\n                                                           1\n\x0c                                                                             System Evaluation of the Fee Systems\n\n\n\nSystem Evaluation Process\n\nThe Fee Systems were evaluated by reviewing system documentation maintained by the Office\nof the Chief Information Officer (OCIO). As recommended by the Office of Management and\nBudget (OMB), Carson Associates reviewed the following documents for adherence to standards\nand consistency with guidelines issued by the National Institute of Standards and Technology\n(NIST).\n\n    \xe2\x80\xa2   Fee Systems Risk Assessment, May 2003\n    \xe2\x80\xa2   Fee Systems Security Plan, May 2003\n    \xe2\x80\xa2   Fee Systems Business Continuity Plan, May 2003\n    \xe2\x80\xa2   Fee Systems Security Test and Evaluation Plan and Report, May 2003\n    \xe2\x80\xa2   Fee Systems Re-certification and Re-accreditation Report, May 2003\n    \xe2\x80\xa2   Fee Systems Remediation Plan, December 2003\n    \xe2\x80\xa2   Fee Systems Project Plan, April 2004 and July 2004\n    \xe2\x80\xa2   Privacy Impact Assessment\n    \xe2\x80\xa2   FY 2003 and draft FY 2004 Fee Systems Self-Assessment\n\nThe documents were reviewed to determine whether they are consistent with NIST guidance and\nwhether they describe the management5, operational6, and technical7 controls in place for the Fee\nSystems.\n\nCarson Associates also reviewed documentation supporting the certification and accreditation of\nthe NIH mainframe to determine whether it is consistent with NIST guidance and whether it\ndescribes the management, operational, and technical controls in place for the components of the\nFee Systems residing at NIH. Several other NRC systems provide data to the Fee Systems to be\nused in the generation of invoices. Security controls for these other NRC systems were not\nanalyzed as part of the Fee Systems system evaluation.\n\n2       Purpose\n\nThe system evaluation objectives were to review and evaluate the management, operational, and\ntechnical controls for the Fee Systems.\n\n\n\n\n5\n  The security controls (i.e., safeguards or countermeasures) for an information system that focus on the\nmanagement of risk and the management of information system security.\n6\n  The security controls (i.e., safeguards or countermeasures) for an information system that primarily are\nimplemented and executed by people (as opposed to systems).\n7\n  The security controls (i.e., safeguards or countermeasures) for an information system that are primarily\nimplemented and executed by the information system through mechanisms contained in the hardware, software, or\nfirmware components of the system.\n\n\n                                                       2\n\x0c                                                                        System Evaluation of the Fee Systems\n\n\n\n3         Findings\n\nCarson Associates reviewed the Fee Systems security documentation and found that:\n\n      \xe2\x80\xa2   The Fee Systems security documentation is not always consistent with National Institute\n          of Standards and Technology guidelines.\n      \xe2\x80\xa2   Findings and recommendations resulting from testing are not consistently being tracked.\n\nNone of these weaknesses are considered to be significant deficiencies or reportable conditions\nas defined in OMB guidance.\n\n3.1       Security Documentation Is Not Always Consistent With NIST Guidelines\n\nFISMA directs the Secretary of Commerce, on the basis of standards and guidelines developed\nby NIST, to prescribe standards and guidelines pertaining to Federal information systems. NIST\nhas developed several guidelines and standards, including those for conducting risk assessments,\ndeveloping security plans, and contingency plans. NRC Management Directive (MD) 12.5, NRC\nAutomated Information Security Program, which was revised in September 2003, states that\nNRC shall comply with NIST guidance to include guidance related to the preparation of security\ndocumentation (such as system security plans, risk assessments, and contingency plans), and\nother applicable NIST guidance for information technology security processes, procedures, and\ntesting.\n\nThe previous version of MD 12.5 did not require compliance with NIST guidelines, however,\nOMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of\nFederal Automated Information Resources, states that each agency\xe2\x80\x99s program shall implement\npolicies, standards and procedures which are consistent with government-wide policies,\nstandards, and procedures issued by the Office of Management and Budget, the Department of\nCommerce8, the General Services Administration and the Office of Personnel Management.\nOMB periodically reminds agencies that agency security practices should be consistent with\nNIST guidance. The FY 2004 FISMA guidance issued by OMB9 specifically states that agencies\nmust follow NIST standards and guidance. Use of NIST guidance is flexible, provided agency\nimplementation is consistent with the principles and processes outlined within the NIST\nguidance.\n\nCarson Associates reviewed the Fee Systems Risk Assessment, Security Plan, and Business\nContinuity Plan and found that while the documentation is up-to-date, it is not always consistent\nwith NIST guidelines.\n\n\n\n\n8\n NIST is part of the Technology Administration within the Department of Commerce.\n9\n OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\nAct, dated August 23, 2004.\n\n\n                                                    3\n\x0c                                                                    System Evaluation of the Fee Systems\n\n\n\nFee Systems Security Plan Does Not Describe All Security Controls Identified As In-Place\n\nOMB A-130 states that security plans shall be consistent with guidance issued by NIST. NIST\nSpecial Publication (SP) 800-18, Guide for Developing Security Plans for Information\nTechnology Systems, states that the purpose of a security plan is to provide an overview of the\nsecurity requirements of the system and describe controls in place or planned for meeting those\nrequirements. NIST SP 800-18 also states that the security plan should fully identify and\ndescribe the controls currently in place, or planned for the system. However, Carson Associates\nfound several areas in the Final System Security Plan for the Fee Systems, dated May 2003,\nwhere controls were not described.\n\nIn order to identify what controls are currently in place for the Fee Systems, Carson Associates\nreviewed and analyzed two other documents in conjunction with the Fee Systems Security Plan \xe2\x80\x93\nthe Fee Systems self-assessment, and results from security test and evaluation of the Fee Systems\ncontrols conducted during the certification and accreditation of the Fee Systems.\n\nFISMA requires agencies to test the management, operational, and technical controls of every\ninformation system identified in their inventory no less than annually. OMB has instructed\nagencies to use NIST SP 800-26, Self-Assessment Guide for Information Technology Systems, to\nconduct the annual reviews. NIST SP 800-26 is based on the Chief Information Officer\nCouncil\xe2\x80\x99s \xe2\x80\x9cFederal Information Technology Security Assessment Framework\xe2\x80\x9d (the Framework).\nThe Framework comprises five levels to guide agency assessments of their security programs\nand assist in prioritizing efforts for improvement. Level 1 reflects that an asset has documented\nsecurity policy. At Level 2, the asset also has documented procedures and controls to implement\nthe policy. For Level 3, procedures and controls have been implemented to protect the asset.\nLevel 4 indicates that procedures and controls are tested and reviewed. Finally, at Level 5, the\nasset has procedures and controls fully integrated into a comprehensive program.\n\nCarson Associates reviewed the FY 2003 Fee Systems self-assessment in order to identify\ncontrols in place for the Fee Systems. Any controls marked at least at a Level 3 in the Fee\nSystems self-assessment are considered to be in place based on the above definitions. The FY\n2003 self-assessment was reviewed as the agency had only provided a draft of the FY 2004 self-\nassessment when the fieldwork was conducted.\n\nCarson Associates also reviewed the results of the security test and evaluation of the Fee\nSystems controls conducted during the certification and accreditation of the Fee Systems.\nSecurity certification is a comprehensive assessment of the management, operational, and\ntechnical security controls in an information system, made in support of security accreditation, to\ndetermine the extent to which the controls are implemented correctly, operating as intended, and\nproducing the desired outcome with respect to meeting the security requirements for the system.\nAppendix D of the Fee Systems Security Test and Evaluation Plan and Report, dated May 2003,\nincludes test procedure worksheets used to record the results of the testing. The test objectives\non the test procedure worksheets correspond to the control objectives in the NIST SP 800-26\nself-assessment. Each test objective is marked as either pass, fail, or not applicable. A test\nobjective marked as pass represents a security control that is in place.\n\n\n\n\n                                                 4\n\x0c                                                                    System Evaluation of the Fee Systems\n\n\n\nAs a result of the review of the Fee Systems Security Plan, self-assessment, and security test and\nevaluation results, Carson Associates identified several cases where either the self-assessment\nand/or the test procedure worksheet indicated a control was in place, but it was not described in\nthe Security Plan. The following are some examples:\n\n   \xe2\x80\xa2   The Fee Systems Security Plan does not describe tests and examinations of key controls\n       (i.e., network scans, analyses of router and switch settings, penetration testing).\n       However, this control is marked as \xe2\x80\x9cpass\xe2\x80\x9d on the test procedure worksheets, and is\n       marked as a Level 5 in the Fee Systems self-assessment.\n   \xe2\x80\xa2   The Fee Systems Security Plan does not describe how lists of authorized users and their\n       access are maintained and approved. However, this control is marked as a Level 5 in the\n       Fee Systems self-assessment, and is marked as \xe2\x80\x9cpass\xe2\x80\x9d on the test procedure worksheets.\n   \xe2\x80\xa2   The Fee Systems Security Plan does not describe procedures that ensure terminated or\n       transferred individuals do not retain system access. However, this control is marked as a\n       Level 3 in the Fee Systems self-assessment, and is marked as \xe2\x80\x9cpass\xe2\x80\x9d on the test procedure\n       worksheets.\n\nCarson Associates also identified several instances where the information in the Fee Systems\nSecurity Plan, self-assessment and test procedure worksheets is inconsistent. The following are\nsome examples:\n\n   \xe2\x80\xa2   The Fee Systems Security Plan does not describe whether access scripts with embedded\n       passwords are allowed. The Fee Systems self-assessment indicates this control is not\n       applicable, but the control is marked as \xe2\x80\x9cpass\xe2\x80\x9d on the test procedure worksheets.\n   \xe2\x80\xa2   The Fee Systems Security Plan does not describe whether inactive accounts are\n       monitored and if they are removed when not needed. This control is marked as Level 5\n       in the Fee Systems self-assessment. However, this control is marked as \xe2\x80\x9cfail\xe2\x80\x9d on the test\n       procedure worksheets.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Chief Financial Officer:\n\n   1. Update the Fee Systems Security Plan to describe all controls currently in place. In-place\n      controls are those marked at least at Level 3 in the self-assessment, and that were\n      documented as passed in the last Security Test and Evaluation Plan and Report, or in any\n      test and evaluation on controls added since publication of that report.\n\n   2. Update the Fee Systems self-assessment to reflect controls in place. In-place controls are\n      those that were documented as passed in the last Security Test and Evaluation Plan and\n      Report, or in any test and evaluation on controls added since publication of that report.\n\n\n\n\n                                                 5\n\x0c                                                                    System Evaluation of the Fee Systems\n\n\n\nFee Systems Business Continuity Plan Is Not Consistent With NIST Guidelines\n\nCarson Associates reviewed the Fee Systems Business Continuity Plan (BCP), dated May 2003.\nGuidance on developing contingency plans can be found in NIST SP 800-34, Contingency\nPlanning Guide for Information Technology Systems, which was published in June 2002. As\nrecommended by OMB, Carson Associates reviewed the Fee Systems BCP for consistency with\nNIST guidelines and found that in some instances, the Fee Systems BCP is not consistent with\nNIST guidelines.\n\nAccording to the agency, NRC requires annual updates of all BCPs, however NRC only requires\nconformance with current NIST guidance at the time of re-accreditation. This policy is not\ndocumented in any agency management directive or in any documentation reviewed by Carson\nAssociates. Carson Associates was informed of this policy during the exit conference held to\ndiscuss the findings of the Fee Systems system evaluation. Subsequent to the exit conference,\nCarson Associates reviewed previous NIST guidance on the preparation of contingency plans,\nFederal Information Processing Standards (FIPS) Publication 87, Guidelines for ADP\nContingency Planning, and found that the Fee Systems BCP is also not consistent with the FIPS\n87 guidance. As stated earlier in this report, while the version of MD 12.5 that was in effect at\nthe time the Fee Systems BCP was published did not require compliance with NIST guidelines,\nOMB requires agencies to follow NIST standards and guidance.\n\nOFFICIAL USE ONLY PARAGRAPH REDACTED\n\n\n\n\nNIST SP 800-34 states that the contingency plan should be a living document that is changed as\nrequired to reflect system, operational, or organizational changes. Modifications made to the\nplan should be recorded in a record of changes. The Fee Systems BCP does not include any\ninformation on what changes have been made to the plan and when. Without this information,\nCarson Associates could not determine whether the BCP was updated as part of the annual\nrequirement, or as part of a system re-accreditation. FIPS 87 also states that an essential element\n\n\n                                                 6\n\x0c                                                                     System Evaluation of the Fee Systems\n\n\n\nof any volatile document, such as a contingency plan, is a method of recording changes to the\ndocument.\n\nNIST SP 800-34 suggests including a line of succession that identifies personnel responsible to\nassume authority for executing the contingency plan in the event the designated person is\nunavailable or unable to do so. The line of succession may continue down to the level necessary\nbased on the organization\xe2\x80\x99s needs, but must be carefully coordinated with the continuity of\noperations plan to ensure there are no responsibility conflicts. FIPS 87 also states that the BCP\ninclude a section that clearly delineates how the chain of command is to function when an\nemergency strikes. The Fee Systems BCP does not list the line of succession to assume authority\nfor executing the plan.\n\nNIST SP 800-34 describes roles and responsibilities, including a discussion of appropriate teams\nto implement the system recovery strategy. Each team should be trained and ready to deploy in\nthe event of a disruptive situation requiring plan activation. Recovery personnel should be\nassigned to one of several specific teams that will respond to the event, recover capabilities, and\nreturn the system to normal operations. The specific types of teams required are based on the\nsystem affected. The size of each team, specific team titles, and hierarchy designs depend on the\norganization. The BCP should include a section describing responsibilities, including the overall\nstructure of contingency teams, including the hierarchy and coordination mechanisms and\nrequirements among the teams. The section also provides an overview of team member roles\nand responsibilities in a contingency situation. While FIPS 87 does not include the same level of\ndetail as NIST SP 800-34 in its discussion of the people involved in contingency planning, it\ndoes state that is it necessary to associate people, skills and management in recovery. Alternates\nfor persons with peculiar skills or with skills in very short supply must be designated. The Fee\nSystems BCP includes a list of contacts in Section 1, but the document does not describe the\nstructure and membership of the contingency teams.\n\nNIST SP 800-34 describes notification procedures and states that they should be documented in\nthe plan for both events that occur with and without prior notice. For example, advanced notice\nis often given that a hurricane will affect an area or that a computer virus is expected on a certain\ndate. However, there may be no notice of equipment failure or a criminal act. The procedures\nshould describe the methods used to notify recovery personnel during business and non-business\nhours. Prompt notification is important for reducing the effects on the system; in some cases, it\nmay provide enough time to allow system personnel to shut down the system gracefully to avoid\na hard crash.\n\nNIST SP 800-34 also states that personnel to be notified in the event of a disaster should be\nclearly identified in the contact list appended to the plan. The list should identify personnel by\ntheir team position, name, and contact information (e.g., home number, work number, pager\nnumber, email address, and home address). FIPS 87 also stresses the importance of including the\nname, address, and phone numbers of all people who may be required in any backup or recovery\nscenario in the BCP.\n\nHowever, the personnel contact information in the Fee Systems BCP is not complete and does\nnot include notification procedures or contact information for notifying personnel during non-\n\n\n\n                                                  7\n\x0c                                                                   System Evaluation of the Fee Systems\n\n\n\nbusiness hours. Not having up-to-date contact information to reach the designated teams during\nboth business and non-business hours may cause delays in the disaster recovery process.\n\nNIST SP 800-34 describes the fourth step of the contingency process as \xe2\x80\x9cdevelop recovery\nstrategies.\xe2\x80\x9d Thorough recovery strategies ensure that the system can be recovered quickly and\neffectively following a disruption. The fifth step is to develop the contingency plan. The\ncontingency plan should contain detailed guidance and procedures for restoring a damaged\nsystem. Procedures should be written in a stepwise, sequential format so system components\nmay be restored in a logical manner. The procedures should also include instructions to\ncoordinate with other teams when certain situations occur, such as when an action is not\ncompleted within the expected time frame, when a key step has been completed, when item(s)\nmust be procured, or other system-specific concerns.\n\nTo facilitate recovery phase operations, the contingency plan should provide detailed procedures\nto restore the system or system components. Recovery procedures should be written in a\nstraightforward, step-by-step style. To prevent difficulty or confusion in an emergency, no\nprocedural steps should be assumed or omitted. A checklist format is useful for documenting the\nsequential recovery procedures and for troubleshooting problems if the system cannot be\nrecovered properly.\n\nHowever, in the Fee Systems BCP, recovery actions are described at a very high level and do not\ninclude specific technical details on how to restore a system from backup tapes. While\nresponsibility for restoring the system from backup tapes is primarily the responsibility of other\norganizations within NRC, the contingency plan should include more details on what steps the\nSystem Owner must follow once the system has been restored. For example, the Fee Systems\nBCP does not include steps for testing system functionality after restoration from backup. In\naddition, procedures for restoring system operations are not outlined for each team to operate the\nsystem in coordination with the system at the original or new site.\n\nNIST SP 800-34 defines the reconstitution phase as when recovery activities are terminated and\nnormal operations are transferred back to the organization\xe2\x80\x99s facility. The reconstitution phase\nshould specify teams responsible for restoring or replacing both the site and the system. The Fee\nSystems BCP does not include procedures for restoring system operations that include\nprocedures for cleaning the alternate site of any equipment or other materials belonging to the\norganization, with a focus on handling sensitive information. While FIPS 87 does not discuss\nspecific procedures to be followed for cleaning the alternate site of any equipment or other\nmaterials belonging to the organization, these procedures are necessary to ensure that no\nsensitive materials remain at the alternate site.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Chief Financial Officer:\n\n   3. Keep copies of the As-Built System Documentation in the same location as the Fee\n      Systems Business Continuity Plan to facilitate access during disaster recovery.\n\n\n\n\n                                                8\n\x0c                                                                     System Evaluation of the Fee Systems\n\n\n\n      4. Update the Fee Systems Business Continuity Plan to include the following changes:\n\n         \xe2\x80\xa2   Record modifications to the plan in a record of changes to include what changes were\n             made (e.g., the page numbers or section numbers where the changes were made), why\n             the changes were made (e.g., annual update or update during re-accreditation), and\n             date of change.\n         \xe2\x80\xa2   Include an order of succession that identifies personnel responsible to assume\n             authority for executing the contingency plan in the event the designated person is\n             unavailable or unable to do so.\n         \xe2\x80\xa2   Include a description of the overall structure of contingency teams, including the\n             hierarchy and coordination mechanisms and requirements among the teams. The\n             description should include an overview of team member roles and responsibilities in a\n             contingency situation. Teams and team members should be designated for specific\n             response and recovery roles during contingency plan activation.\n         \xe2\x80\xa2   Describe the methods used to notify recovery personnel during business and non-\n             business hours.\n         \xe2\x80\xa2   Include more detailed steps for recovery actions and assign procedures to the\n             appropriate recovery team(s).\n         \xe2\x80\xa2   Include procedures for restoring system operations, with a focus on how to clean the\n             alternate site of any equipment or other materials belonging to the organization.\n\n3.2      Findings and Recommendations Resulting From Testing Are Not\n         Consistently Being Tracked\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program found that\nthe agency\xe2\x80\x99s corrective action process needed improvement. NRC has two primary tools for\ntracking the progress of corrective actions related to correcting weaknesses identified during the\nannual agency security review, the OIG independent evaluation, various security documents, and\nother security studies conducted by or on behalf of the agency. At a high level, NRC uses the\nplan of action and milestones (POA&M) submitted to OMB to track corrective actions from the\nOIG annual independent evaluation, and the agency\xe2\x80\x99s annual review. At a more detailed, level,\nNRC uses the NRC Information Technology Systems Security Tracking System (ITSSTS) to\ntrack the progress of internal corrective actions (i.e., those not reported to OMB). ITSSTS is\nused to track more specific corrective actions, such as those resulting from risk assessments;\nsecurity test and evaluation associated with the certification and accreditation process; and\ncontingency plan testing.\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program also found\nthat not all corrective actions resulting from security reviews and testing were being tracked.\nThe OIG recommended that the agency identify all weaknesses and recommendations from\nsecurity documentation and any other security reviews, and determine in which tool the\nrecommendations will be tracked. In November 2003, OCIO issued a memo describing the\nagency\xe2\x80\x99s information technology security action item tracking process, strategy, and tools. The\nmemo describes the types of activities that might identify security weaknesses in NRC\n\n\n                                                  9\n\x0c                                                                    System Evaluation of the Fee Systems\n\n\n\ninformation technology systems and describes the two tools used by NRC for tracking the\nprocess of security corrective actions \xe2\x80\x93 the FISMA POA&M and the ITSSTS. Carson\nAssociates found that findings and recommendations resulting from testing of the Fee Systems\nsecurity controls are not consistently being tracked.\n\nFindings and Recommendations Resulting from the Fee Systems Certification and\nAccreditation Are Not Consistently Being Tracked\n\nThe Fee Systems Risk Assessment identified nine risks. The Fee Systems Remediation Plan, and\nsubsequent Project Plan state that three risks are acceptable, and provide a detailed discussion of\ncorrective actions necessary to mitigate the remaining risks. The Project Plan proposes a total of\nsixteen tasks to address the remaining risks, with two tasks stated as recently completed. The\nProject Plan includes a detailed discussion of the remaining tasks, and includes a timeline for\ncompleting the outstanding tasks. The ITSSTS is reporting three of the remaining risks (also\nreferred to as weaknesses) as \xe2\x80\x9cCompleted,\xe2\x80\x9d when the Project Plan indicates that the tasks\nrequired to address the three weaknesses have not been completed. The ITSSTS is also reporting\nthree weaknesses as \xe2\x80\x9cScheduled.\xe2\x80\x9d However, the ITSSTS is not tracking the individual tasks\nrequired to address the weaknesses. In some instances, more than one task was suggested to\nclose the weakness. By including only the weakness in the ITSSTS and not the individual tasks\nrequired to address the weakness, the agency is not able to track completion of the individual\ntasks proposed in the Project Plan.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   5. Update the agency\xe2\x80\x99s internal tracking system to reflect the current status of weaknesses\n      identified during the Fee Systems Risk Assessment.\n\n   6. Update the agency\xe2\x80\x99s internal tracking system to include the individual tasks proposed in\n      the Fee Systems Project Plan to resolve the weaknesses identified during the Fee Systems\n      Risk Assessment.\n\n\n\n\n                                                10\n\x0c                                                                   System Evaluation of the Fee Systems\n\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Chief Financial Officer:\n\n    1. Update the Fee Systems Security Plan to describe all controls currently in place. In-place\n       controls are those marked at least at Level 3 in the self-assessment, and that were\n       documented as passed in the last Security Test and Evaluation Plan and Report, or in any\n       test and evaluation on controls added since publication of that report.\n\n    2. Update the Fee Systems self-assessment to reflect controls in place. In-place controls are\n       those that were documented as passed in the last Security Test and Evaluation Plan and\n       Report, or in any test and evaluation on controls added since publication of that report.\n\n    3. Keep copies of the As-Built System Documentation in the same location as the Fee\n       Systems Business Continuity Plan to facilitate access during disaster recovery.\n\n    4. Update the Fee Systems Business Continuity Plan to include the following changes:\n\n       \xe2\x80\xa2   Record modifications to the plan in a record of changes to include what changes were\n           made (e.g., the page numbers or section numbers where the changes were made), why\n           the changes were made (e.g., annual update or update during re-accreditation), and\n           date of change.\n       \xe2\x80\xa2   Include an order of succession that identifies personnel responsible to assume\n           authority for executing the contingency plan in the event the designated person is\n           unavailable or unable to do so.\n       \xe2\x80\xa2   Include a description of the overall structure of contingency teams, including the\n           hierarchy and coordination mechanisms and requirements among the teams. The\n           description should include an overview of team member roles and responsibilities in a\n           contingency situation. Teams and team members should be designated for specific\n           response and recovery roles during contingency plan activation.\n       \xe2\x80\xa2   Describe the methods used to notify recovery personnel during business and non-\n           business hours.\n       \xe2\x80\xa2   Include more detailed steps for recovery actions and assign procedures to the\n           appropriate recovery team(s).\n       \xe2\x80\xa2   Include procedures for restoring system operations, with a focus on how to clean the\n           alternate site of any equipment or other materials belonging to the organization.\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    5. Update the agency\xe2\x80\x99s internal tracking system to reflect the current status of weaknesses\n       identified during the Fee Systems Risk Assessment.\n\n\n\n\n                                                11\n\x0c                                                             System Evaluation of the Fee Systems\n\n\n\n6. Update the agency\xe2\x80\x99s internal tracking system to include the individual tasks proposed in\n   the Fee Systems Project Plan to resolve the weaknesses identified during the Fee Systems\n   Risk Assessment.\n\n\n\n\n                                           12\n\x0c                                                                System Evaluation of the Fee Systems\n\n\n\n5      OIG Response to Agency Comments\n\nOn September 14, 2004, the Executive Director for Operations and the Chief Financial Officer\nprovided comments concerning the draft system evaluation report. We modified the report as we\ndetermined appropriate in response to these comments.\n\n\n\n\n                                             13\n\x0c                                                                                           Appendix A\n                                                                 System Evaluation of the Fee Systems\n\n\nSCOPE AND METHODOLOGY\n\nTo perform the Fee Systems system evaluation, Carson Associates reviewed the system\xe2\x80\x99s\nsecurity documentation, including the Security Plan, Risk Assessment, self-assessment, Business\nContinuity Plan, System Test and Evaluation Plan and Report, Certification and Accreditation\ndocumentation, and the completion of weaknesses addressed, if any, within the FY 2003 plan of\naction and milestones. Comprehensive document checklists were used in the evaluation process.\nCarson Associates also conducted a phone interview with the Fee Systems System Security\nOfficer.\n\nCarson Associates also reviewed certification and accreditation documentation for the NIH\nmainframe, which hosts two of the Fee Systems applications.\n\nThe work was conducted from June 2004 to August 2004 in accordance with guidelines from the\nNational Institute of Standards and Technology, and best practices for evaluating security\ncontrols. Jane Laroussi from Carson Associates conducted the work.\n\n\n\n\n                                              14\n\x0c'